Securing Password Authentication for Web-based Applications

2022 IEEE Conference on Dependable and Secure Computing (DSC) Pub Date : 2020-11-12 DOI:10.1109/DSC54232.2022.9888923

Teik Guan Tan, Pawel Szalachowski, Jianying Zhou

{"title":"Securing Password Authentication for Web-based Applications","authors":"Teik Guan Tan, Pawel Szalachowski, Jianying Zhou","doi":"10.1109/DSC54232.2022.9888923","DOIUrl":null,"url":null,"abstract":"There is currently no foolproof mechanism for any website to prevent their users from being directed to fraudulent websites and having their passwords stolen. Phishing attacks continue to plague password-based authentication despite ag-gressive efforts in detection, takedown, user awareness and training programs. In this paper, we apply a threat analysis on the web password login process, and highlight a design shortcoming in the HTML field which we recommend be deprecated. This weakness can be exploited for phishing and man-in-the-middle (MITM) attacks as the web authentication process is not end-to-end secured from each input password field to the web server. We identify four protocol properties and one browser property that encapsulate the requirements to stop web-based password phishing and MITM attacks, and propose a secure protocol to be used with a new input credential field that complies with the properties. We further analyze the proposed protocol through an abuse-case evaluation and perform a test implementation to understand its data and execution overheads.","PeriodicalId":368903,"journal":{"name":"2022 IEEE Conference on Dependable and Secure Computing (DSC)","volume":"101 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Conference on Dependable and Secure Computing (DSC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSC54232.2022.9888923","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

There is currently no foolproof mechanism for any website to prevent their users from being directed to fraudulent websites and having their passwords stolen. Phishing attacks continue to plague password-based authentication despite ag-gressive efforts in detection, takedown, user awareness and training programs. In this paper, we apply a threat analysis on the web password login process, and highlight a design shortcoming in the HTML field which we recommend be deprecated. This weakness can be exploited for phishing and man-in-the-middle (MITM) attacks as the web authentication process is not end-to-end secured from each input password field to the web server. We identify four protocol properties and one browser property that encapsulate the requirements to stop web-based password phishing and MITM attacks, and propose a secure protocol to be used with a new input credential field that complies with the properties. We further analyze the proposed protocol through an abuse-case evaluation and perform a test implementation to understand its data and execution overheads.

查看原文本刊更多论文

保护基于web的应用程序的密码身份验证

目前，任何网站都没有万无一失的机制来防止用户被引导到欺诈网站，并防止他们的密码被盗。尽管在检测、删除、用户意识和培训计划方面做出了积极努力，但网络钓鱼攻击仍然困扰着基于密码的身份验证。在本文中，我们对web密码登录过程进行了威胁分析，并强调了HTML领域的一个设计缺陷，我们建议不推荐使用。这个弱点可以被网络钓鱼和中间人(MITM)攻击利用，因为从每个输入密码字段到web服务器的web身份验证过程不是端到端安全的。我们确定了四个协议属性和一个浏览器属性，它们封装了阻止基于web的密码网络钓鱼和MITM攻击的要求，并提出了一个安全协议，用于符合这些属性的新输入凭据字段。我们通过滥用案例评估进一步分析提议的协议，并执行测试实现，以了解其数据和执行开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Conference on Dependable and Secure Computing (DSC)

自引率

0.00%

发文量